Closing the IoT Security Loop: Managed PKIs with Microchip Secure Elements

A version of this article appeared in the May/June 2018 issue of Microchip MicroSolutions digital magazine

Much has been written about the need for Internet of Things (IoT) security and the problems that network access vulnerabilities can cause. However, there’s very little discussion spent on how to solve those problems from a logistics standpoint. Specifically, how do device manufacturers address IoT security?

Authentication vs. Encryption

I’ve highlighted in my IoT security series that even though encryption prevents eavesdropping, it does not identify with whom you are communicating. If you cannot confirm identity, encryption becomes much less meaningful. The ability to verify the identity of whom you are communicating with is known as authentication, which is the cornerstone of any robust network security scheme.

Encryption only prevents eavesdropping by malicious players. It doesn’t solve the problem of knowing who is on the other end of the communication line.

Encryption only prevents eavesdropping by malicious players. It doesn’t solve the problem of knowing who is on the other end of the communication line.

Establishing Identity with Digital Certificates

As I’ve mentioned in my IoT security series, digital certificates are generated and cryptographically signed through a secure back-end system known as a Public Key Infrastructure (PKI). You can think of a managed PKI as the government passport service and digital certificates as passports that devices use to verify their identities. A managed PKI has a certificate policy that is enforced by the CA. There are firm requirements for how certificates are issued and who can receive them, and even for signing authorized executable code.

Imagine that you could obtain a passport from anyone — with little or no control over how and to whom passports are issued. If that were the case, the passport loses meaning because it no longer proves anything. You have no way of knowing whether the passport is genuine. This is what you have if you use an unmanaged PKI.

Innovations from Kyrio, CableLabs and Microchip

In 2001, CableLabs deployed one of the first large-scale autonomous device ecosystems using a managed PKI. Digital certificates were issued to verify compliance of cable modems and set-top boxes to adhere to the DOCSIS communication standards, authenticate user subscriptions and ensure only authorized devices accessed the network. In 2012, Kyrio was created as a commercialization path for CableLabs innovations and assumed the provisioning and management of digital certificates to CableLabs members. Since then, Kyrio’s status as a wholly-owned subsidiary has allowed the company to extend other markets and is now the preferred security provider for CableLabs, OpenADR, Wi-Fi Alliance and the Center for Medical Interoperability.

Today, Kyrio and Microchip have collaborated to bring together our experience and expertise in managed PKIs and high-volume chip production. Kyrio’s coordination with Microchip gives device manufacturers a means of implementing strong authentication-based security into their small IoT devices in a highly scalable fashion.

Addressing IoT Security Issues

To successfully address IoT security issues, you must have a solution that accomplishes the following objectives:

  • It must be simple enough that it does not require cybersecurity expertise to implement
  • The solution must work within typical hardware manufacturing production flows
  • The simplicity of the solution must not weaken the security of strong identity-based authentication

Kyrio works with large manufacturers and standards groups to create custom PKIs to their specifications. Customers specify higher-level use cases and requirements, and Kyrio designs and implements the PKI to fit those requirements. We provide the security expertise so that our customers do not need to have it in-house.

For the second objective, Kyrio works closely with Microchip to integrate the PKI signature and certificate-generation process into Microchip’s high-volume manufacturing process. Microchip has a secure production line that forms an extension to Kyrio’s managed PKIs so that secure provisioning and device key handling is fully transparent to our customers.

The third requirement arises from “simplified security” schemes that have emerged over the years. These have certainly made security easier to implement, but they have also made security much weaker.

Kyrio/Microchip Secure Solution

The joint Kyrio and Microchip Secure Element solution provides several important benefits:

  • High IoT security in a chip. Kyrio and Microchip take care of the PKI and certificate provisioning so that the device manufacturer doesn’t need in-house security expertise.
  • Fast, hard-coded cryptographic function in the Microchip ATECC608A secure element. As a designer, you do not need to worry about cipher suites; you simply need to call an API and let the ATECC608A do the hard work for you.
  • Prevent large-scale cyberattacks with the secure storage of private keys in the ATECC608A. Only the cryptographic blocks within the chip can access the private keys so the only way to steal a key is to physically steal the chip off the board.
  • Kyrio’s managed PKIs track and control device access based on individual certificate identities. Even if the chip is stolen, it can be revoked to mitigate damage.

Interested in exploring your role in this solution? Learn more about how you can participate by clicking the button below:

Let's Work Together

A Matter of Security vs. Logistics

The IoT security issue is not so much a security problem as it is a logistics problem. The technology to address device security on a large scale already exists. Digital certificates have been in use for decades and are a tested and trusted technology. Secure elements have been miniaturized and optimized to the point that even the smallest IoT device can use one.

Kyrio and Microchip have solved the logistics challenges behind implementing digital certificates on the massive scale that is needed for the IoT industry.

About KYRIO

For manufacturers and service providers, Kyrio accelerates and deploys new network innovations into the ecosystem. Backed by the power of CableLabs, Kyrio sets technology on a path to commercialization, enabling not just today but tomorrow’s communication.

Privacy Preference Center

Strictly Necessary

Cookies that are necessary for the site to function properly.

__cfduid,hubspotutk, PHPSESSID

Performance

These are used to track user interaction and detect potential problems. These help us improve our services by providing analytical data on how users use this site.

_ga, _gat, _gid, _hjIncludedInSample, mailmunch_second_pageview

Targeting

These cookies are used to (1) deliver advertisements more relevant to you and your interests; (2) limit the number of times you see an advertisement; (3) help measure the effectiveness of the advertising campaign; and (4) understand people’s behavior after they view an advertisement.

__hssc, __hssrc, __hstc

Close your account?

Your account will be closed and all data will be permanently deleted and cannot be recovered. Are you sure?